Revolut’s Fine in Lithuania May Push It Toward Direct AMLA Supervision

This week’s decision by the Lithuanian Central Bank to impose a €3.5 million fine on Revolut for failures in financial crime compliance (FCC) could also have placed the fintech on the radar for direct supervision by the EU’s new Anti-Money Laundering Authority (AMLA). With AMLA preparing to select Europe’s 40 highest-risk obliged entities for direct oversight from its headquarters in Frankfurt, Revolut, already known for its extensive cross-border operations, now stands out even more following the fine for persistent anti-money laundering (AML) shortcomings. The fact that Revolut is based in the United Kingdom while holding its banking license through Lithuania further intensifies the likelihood of heightened scrutiny.

Entities chosen for direct supervision will be subjected to much stricter oversight as the European Union ramps up enforcement efforts against financial crime. How AMLA will determine which entities fall under its direct watch is set out clearly in Articles 12 to 14 of the relevant EU legislation, establishing a selection process based on a multi-factor risk assessment that combines internal benchmarks, sectoral data, and national-level indicators.

Only entities with a residual risk ultimately classified as high will be considered eligible for selection. Should more than 40 entities meet the high-risk threshold, AMLA will work with national supervisors to trim the list, balancing considerations of capacity and available resources. Entities active in Member States with significant volumes of transactions linked to third countries will be prioritized. Cross-border reach and systemic relevance will also be key factors.

The scope of eligible institutions is broad and includes credit institutions, crypto-asset service providers, payment institutions, collective investment undertakings, life insurers and intermediaries, investment firms, bureaux de change, and various other financial institutions.

Under Article 12, AMLA will conduct regular assessments across at least six Member States, evaluating both physical presences and remote operations. The authority will classify entities into low, medium, substantial, or high-risk profiles, with evaluations based on two principal dimensions: Inherent Risk—which accounts for factors such as customers, products, services, transactions, and delivery channels—and Residual Risk, which assesses the effectiveness of internal controls and mitigation efforts.

Benchmarks to determine an entity’s risk level will include the proportion of non-resident or high-risk third-country clients (such as politically exposed persons), the volume of high-risk transactions or services offered, the degree of anonymity or privacy protections (particularly in crypto services), geographic exposure through cross-border transactions and offshore links, and engagement in high-risk activities like correspondent banking and crypto-asset services.

Article 14 also allows for exceptional cases where AMLA can assume direct supervision over an entity not originally selected. This can happen if a national supervisor identifies a specific AML or counter-terrorism financing (CFT) failure or detects risks linked to shadow banking or sanctions evasion. In such instances, the national supervisor must submit a comprehensive risk case, transfer timeline, and supporting data to AMLA.

The initial selection of entities for direct supervision is scheduled to begin by July 1, 2027, with new lists published periodically thereafter. AMLA is required to notify selected entities and the corresponding national authorities in advance of any changes.

Strategically, this supervisory shift underscores the EU’s determination to move toward a more risk-based and intelligence-driven AML regime, ensuring that supervisory intensity is proportionate to the level of threat exposure, according to the legislative framework. It reflects a broader trend toward centralised AML enforcement at the EU level, with AMLA taking on an increasingly operational role, especially within the banking and crypto sectors.

The AML community is now anticipating the release of draft regulatory technical standards by January 2026, which are expected to provide more precise guidance on how the selection benchmarks will be practically applied.

By fLEXI tEAM